We have been hearing a lot lately about cyber risks and data breaches and the copious amounts of data that are leaked daily. This note looks at simple and effective steps that individuals and businesses can take to mitigate the impact of cyber risks.

The Office of the Australian Information Commissioner is compiling statistics on the notifiable data breaches it receives (which are significantly more than the voluntary data breach notifications it has received in the past). These are expected to be published on a quarterly basis, with one report already published since the commencement of the scheme in February this year. Based on the data, in Australia, we are averaging 2.5 data breaches per working day that are likely to cause serious harm to individuals. Of significance is that the second most affected industry sector is the legal, accounting and management professional service sector.

It is useful to consider the causes of data breaches and what makes them so prevalent. There are many surveys conducted on data breaches which highlight increasing criminal hacks. However, it is equally important to keep in mind that many data breaches result from inadequate internal systems or people issues or third-party vendors. In the 2017 Cost of Data Breach Study in Australia, the Ponemon Institute found that 52% of data breaches in the surveyed year were as a result of system glitches or employee/contractor error; with the remainder due to malicious and criminal hacks.

In our online socially-connected world many of us access “free” email providers, social media networks and for almost every interaction we have these days on the web we are required to create accounts and passwords for simple interactions including one-off transactions, whether it is buying tickets, booking hotels, or online shopping. These accounts commonly hold our addresses, phone numbers, date of birth and other personal information. For those who don’t use password safes, we then generate further risks by reusing the same passwords for multiple accounts. These practices exacerbate the impact of breaches on one account to multiple accounts, as effectively they can all be potentially compromised. Additionally, employees may often use their work email addresses to login to various services, whether it is online shopping or social media. Looking at LinkedIn, as an example, I found that of my LinkedIn connections 15% use a work email address to access LinkedIn.

There is now a proliferation of monitoring tools that identify emails and passwords that have been compromised and are stored on the ‘darkweb’. Troy Hunt from have I been pwned which enables you to check if your account has been compromised, testified before the US Congress on the impact of breaches on identity verification, and argued that static knowledge-based authentication is becoming increasingly risky in a post-breach data world. In other words, relying on data like passwords, email addresses and other static attributes is risky. Identity fraud increases, trust diminishes (both ways between customers and organisations) and billions of dollars are wasted as more and more data is compromised.

Against that backdrop, let me come back to my question: what can individuals and businesses do that is simple and cost-effective to mitigate these risks? There are of course many services that can let you know whether your accounts and passwords have been compromised and offer recovery services for things such as identity theft. There is also cyber insurance that can defray some of the expense. However, one simple step that individuals and businesses can take to minimise the impact of cyber risk is to adopt two-factor authentication wherever possible.

Two-factor authentication these days is very simple to use and there are multiple great free options, like the authy app, physical tokens like yubikey and a good old-fashioned sms or call. The latter two are less secure due to risks relating to telecommunication service provider vulnerabilities and illegal temporary mobile phone number porting, though using sms or call two-factor authentication is still better than not using two-factor authentication at all, if the other better options are not available. The app and physical token options are also suitable for when you are travelling overseas if you don’t take with you the sim you enrolled in for two-factor authentication.

Some services also only instigate the two-factor authentication when they see that the device being used is not the device which was used to enrol in the two-factor authentication, hence reducing some of the burden that some people may perceive in using two-factor authentication whilst still providing the added protection. For businesses, rolling out mandatory two-factor authentication to their employees should become the norm. For individuals, commonly used social media and email providers offer simple options for two-factor authentication. So, why not enable it? It is not just yourself you will be helping to protect, but your friends and workmates too.

Annelies Moens, CIPT, FAICD, CMgr FIML is a widely recognised global privacy expert and thought leader, trusted by business executives, government and privacy professionals with close to 20 years’ experience. She is Managing Director of Privcore and cofounder of the International Association of Privacy Professionals in Australia and New Zealand. She held elected roles during her six year Board term, including as President. She has held several senior leadership roles, including as Deputy Managing Director of a privacy consultancy, External Relations Manager at an online legal publisher, Group Manager and Chief Privacy Officer at a copyright licensing agency, and Deputy Director at the Australian privacy regulator. Annelies has an MBA in general international management (distinction) from the Vlerick Business School in Belgium, is a qualified lawyer, has undergraduate degrees in computer science and law (first class honours) from The University of Queensland, Australia. Contact Annelies at operations@privcore.com. You can also connect with Annelies via LinkedIn